Computer networks are vulnerable to many types of malicious attacks, such as viruses, worms, denial of service (DoS) attacks, distributed denial of service (DDoS) attacks, and the like. A network administrator often must take remedial action when an attack is detected, preferably as quickly as possible. However, differentiating what is normal network activity or noise from a possible network attack, anomaly, or problem is a difficult and imprecise task. An increase in network activity might be normal behavior or it might be a malicious act, such as the propagation of a worm. In addition, it is even more difficult to detect anomalies in the face of cyclical (seasonal) data, missing data, highly variable data (or where variability changes with the average), and changes in the baseline or what is considered “normal.” It would thus be an advance in the art to provide a more efficient and effective tool to determine the difference between normal and harmful network traffic activities.